If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Networking Guide 7 - Network Access and Security

Networking Guide 7 - Network Access and Security

There are two prerequisites that you should keep in mind when you access a resource on the network: network access and the proper security clearance. These items work together to allow you access to a particular resource.

The first of these two topics that you need to consider is network access. Network access involves installing client software on your computer. This software gives your computer the instructions that it needs to be able to access the network.

Network security involves ensuring that only authorized users have access to the network and that they access it only in authorized ways. You want to ensure that hardware, software, and data are available to authorized users when they are needed, but you also want to ensure that hardware, software, and data are not compromised or threatened. In addition to providing network access, client software works with the network operating system to provide network security.

As a network administrator, you can create an effective security plan in a number of ways and by using a variety of tools and procedures. Some of these are practical, commonsense safeguards, and others involve implementing protective systems and technologies. Although numerous recent examples indicate that almost no network is completely immune to security breaches, taking advantage of the measures in this chapter gives you a head start.

You’ll start by learning the different types of clients and how they are installed. You’ll then learn some of the simplest of security measures, usernames, and passwords, including good and bad examples. You’ll then move on to the more complex ways to secure your network—firewalls and proxies. Finally, you’ll learn about some threats that may exist for your network. The Network+ exam covers all of these topics.

Tip - If someone can walk in and take your server or backup tapes, you don’t have much security at all. In the real world, you’ll want to ensure that all appropriate and necessary physical mechanisms are in place to protect your network.

Accessing Network Resources

Generally speaking, computers don’t know how to access the various resources on your network. Each workstation OS (such as DOS and Windows 95/98, for example) knows how to access only its own local resources (such as local printers and local disk storage). For this reason, network operating systems use various methods to enable workstations to access network resources.

Windows 95/98 computers can use both the various built-in software clients and third-party client software to achieve network connectivity. As a network administrator, you’ll need to tailor the connection software to your network. This is known as proper client selection . Once the client and the server are communicating, the PC can connect to network directories. Drive mappings allow reproducible connections from the local workstation to a network drive. Additionally, local print jobs on the PC are redirected instead of being sent out of a physical LPT port. The job is then sent to a network printer. This is achieved through printer port captures. Let’s look at each of these in detail.

Client Selection

A workstation communicates with the server over a certain protocol using client software. The protocol might be IPX/SPX (Internet Packet eXchange/Sequenced Packet eXchange), TCP/IP, or NetBEUI. Protocols are separate from the client software, but in some instances, the installation of protocols is integrated into the installation of client software. In Windows 95/98, installed protocols and clients are listed together. To display a listing of the protocol(s) and client(s) currently installed, follow these steps:

Choose Start - Settings - Control Panel to open Control Panel.
Double-click Network to open the Network dialog box.

Installed clients are listed in the Configuration tab, at the top of the list above installed protocols and network adapters

Installing the Windows 95/98 and NT/2000 Client

Not surprisingly, Windows 95/98 comes with a client to connect to Microsoft servers and PCs. The Client for Microsoft Networks is the preferred client to access Microsoft networks. You also need this client to run the server tools for Windows NT/2000 on a Windows 95/98 computer to be able to perform domain administrative tasks.

Additionally, the network administrator will also have to authenticate (provide username and password at a login screen) again when using the server tools versions of administrative utilities on a Windows 95/98 machine. Therefore, the best combination for a network administrator’s desktop machine is Windows NT/2000 Workstation or Server with the Client for Microsoft Networks.

Follow these steps to install the Microsoft Client for Networks on a Windows 95/98 computer:

Be sure that your network interface card (NIC) is properly installed and configured. The operating system must already recognize the card. Locate your Windows 95/98 CD and have it ready.

Connect your network cable, and ensure that the link light on the NIC is on.

Make sure that you are at the Windows 95/98 Desktop.

Choose Start - Settings - Control Panel to open Control Panel.

Double-click Network to open the Network dialog box.

Click Add to open the Select Network Component Type dialog box.

Click the Client icon in the list, and then click Add to open the Select Network Client dialog box.

In the Manufacturers box, click Microsoft.

In the Network Clients box, click Client for Microsoft Networks, and then click OK.

Click OK in the Network dialog box.

Place the Windows 95/98 CD in the drive if prompted to do so. Locate the install CAB files, and click OK if prompted. The Copying Windows Files screen opens and then closes.

In the System Settings Change dialog box, click Yes. The system will now reboot.

Installing the NetWare Client

You have two options for setting up user workstations to connect to a NetWare network:

Novell NetWare Client

Microsoft Client for NetWare Networks

The one you select depends on your network and users. If you have a predominantly Windows NT network, the Microsoft client might better fit your needs. If you have a NetWare network or a hybrid network with a substantial Novell base, you need to use the Novell client; the latest version is available from Novell. Stay away from the clients distributed with Microsoft Windows 95/98 and NT/2000.

NetWare Client CD as part of the NetWare installation CD set or floppies (only with older versions)

The ZENworks CD

The SYS volume of a NetWare server

What happens when you lose connectivity with your NetWare server and you need to install client software? If you are using IPX/SPX without a web proxy server, downloading the software from the Novell website is out. Many companies place software media under lock and key, and require support staff to install from the network. If that is the case with your company, that cuts out installing from CDs and floppies. The SYS volume is useless if you can’t access the server. To avoid these problems, place a copy of the client installation software on your local PC the first time you connect to a NetWare server.

Tip Regardless of the vendor you choose, a good practice is to download the installation files for your operating system (CABs for Windows 95/98, i386 directory for NT), client software, video drivers, and NIC drivers as soon as you connect to a server.

Don’t forget about yourself. The best combination for the network administrator’s computer is a Windows 95/98 or NT/2000 operating system with the Novell NetWare Client. Novell’s NDS takes care of authentication, thus addressing network security. Use Windows NT/2000 if you want additional security on your local machine. As an administrator, you have no choice about the client. Without Novell’s client you will not get the full functionality of the NetWare Administrator utility and, besides, Novell’s client is free.

To install the Novell Client for NetWare on a Windows 95/98 computer, follow these steps:

Download the latest Novell Client for NetWare from the Novell website, and run the self-extracting file. Or insert your NetWare Client CD.

Double-click the setup.exe file. (This is true for the non-ZENworks version of the client software.) The Novell client license agreement window opens.

Read the license agreement, and then click Yes to accept the agreement and to open the Welcome dialog box.

In the Select an Installation Option section, click Typical.

Click Install to open the Building Driver Information Database and Copying Files windows.

You’ll be asked if you want to set the preferred server properties for NetWare 3.x servers or the preferred tree, context, and server properties for NetWare 4.x and later servers.

If you click Yes, you will have an opportunity to set these properties in the Novell NetWare Client Properties dialog box. Click OK when you finish entering the information, and the installation continues.

If you click No, the installation continues.

Note On Windows 95/98 computers, some files need to be copied from the Windows 95/98 CABs. If these are not in the Windows\Options\Cabs directory, you will be prompted to insert the Windows 95/98 installation CD.

When the installation is finished and you are prompted to restart the computer, click Reboot.

Warning Be sure that your IPX/SPX or TCP/IP protocol stacks are properly configured.

Installing the Unix Client

Windows 95/98 needs the client portion of the Network File System (NFS) to connect to the Unix NFS. If a computer has this client installed, NFS Client—or similar wording—will appear in the listing in the Network dialog box.

Note Windows 95/98 computers without an NFS client can connect directly to a Unix system that is running Samba. Samba is a free server-based solution that uses Server Message Blocks (SMBs) to allow Microsoft clients to see the Unix file system. Samba is available from ftp://samba.anu.edu.au/pub/samba/. Samba is designed for Unix servers and will not install on a Windows 95/98 PC.

The client portion of NFS is currently available only from third-party vendors. No NFS client is distributed with Windows 95/98 or NT/2000. Two popular NFS client vendors are Sun and NetManage. Sun Microsystems offers server and client products for Unix server to PC connectivity. Its clientbased product is Solstice NFS Client. NetManage offers several products, including Chameleon UnixLink. You should select the vendor and product based on your individual needs and budget and after evaluating the demo software. Since third-party options tend to be more popular than their primary vendor counterparts, we’re going to demonstrate the installation of NetManage’s Chameleon.

Note You can get a demo of Chameleon from the NetManage website at www.netmanage.com. This is a demo; after 30 days, the software ceases to function.

To install the NetManage Chameleon UnixLink on a Windows 95/98 PC, follow these steps:
Double-click setup.exe in the Cham_95\NFS directory. This directory is on your CD or in your download directory after extraction. The NetManage Setup and License Notice windows open.
Read the License Notice, and click Accept to open the Setup Option dialog box.
Click Typical, and then click Next to open the Serial Number dialog box.
Enter your serial number and key in their fields, and then click Next to open the Select Directory dialog box.

Note The serial number and key are typically included on a document that comes with the software. You can also obtain them from the website where you downloaded the free software (usually called a “demo” key).

Verify the installation directory. By default it is C:\NETMANAG.95. If you want to install to a different directory, enter the path or browse to the directory. When you are finished, click Next. Files are installed when the Copy Files dialog box opens.
The Building Driver Information Database and Copying Files windows open. You may be prompted for your Windows 95/98 CD if the CAB files are not on your local hard drive.
The Information screen opens, telling you that it will now install support programs. Click OK to open the Choose Program Destination Location dialog box.
Click Next. The NetManage Setup window tells you that components are being installed.
In the Finish window, click Finish. The NetManage Setup window opens, telling you that you must restart Windows for the changes to take effect.
Click Yes to restart Windows

Selecting a Primary Client

Now you have connections to your NT, NetWare, and Unix servers. You now must determine which one will be the primary client on your Windows 95/98 machines. The first question you must ask yourself is: Which servers do your users most often access? For your CAD/CAM engineers, it may be Unix; for web design, it could be either NT or NetWare. Each user will want their favorite servers to appear first in the Network Neighborhood. As an administrator, you will want to gain quick access to the network you spend the most time managing. The network administrator can set a primary type of client to speed access and searches.

To set a primary client on a Windows 95/98 PC, follow these steps:

Choose Start - Settings - Control Panel to open Control Panel.

Double-click Network to open the Network dialog box with the Configuration tab selected. Notice the Client for Microsoft Networks, the NetManage UnixLink NFS Client, and the Novell NetWare Client at the top of the dialog box.

Click the drop-down button to the right of the Primary Network Logon text field to display the drop-down list.

Scroll down through the options, and select the primary client of your choice. Your selection now appears in the Primary Network Logon text field.

Click OK to save the change. The System Settings Change dialog box opens, asking you to restart your computer.

Managing User Account and Password Security

Usernames and passwords are key to network security, and you use them to control initial access to your system. Although the network administrator assigns usernames and passwords, users can generally change their passwords. Thus, you need to ensure that users have information about what constitutes a good password. In this section, we’ll look at the security issues related to user accounts and passwords, including resource-sharing models and user account and password management

Network Resource-Sharing Security Models
You can secure files that are shared over the network in two ways:

At the share level
At the user level
Although user-level security provides more control over files and is the preferred model, implementing share-level security is easier for the network administrator. Let’s examine these two security models and their features.

Share-Level Security

In a network that uses share-level security, you assign passwords to individual files or other network resources (such as printers) instead of assigning rights to users. You then give these passwords to all users who need access to these resources. All resources are visible from anywhere in the network, and any user who knows the password for a particular network resource can make changes to it. With this type of security, the network support staff will have no way of knowing who is manipulating each resource. Share-level security is best used in smaller networks, where resources are more easily tracked.

Note Windows 95/98 and Windows NT/2000 support share-level security.

User-Level Security

In a network that uses user-level security, rights to network resources (such as files, directories, and printers) are assigned to specific users who gain access to the network through individually assigned usernames and passwords. Thus, only users who have a valid username and password and have been assigned the appropriate rights to network resources can see and access those resources. User-level security provides greater control over who is accessing which resources because users do not share their usernames and passwords with other users (or at least they shouldn’t). User-level security is, therefore, the preferred method for securing files.

Managing Accounts

First and foremost, you manage access to network resources through a user account and the rights given to that account. The network administrator is charged with the daily maintenance of these accounts. Common security duties include renaming accounts and setting the number of concurrent connections. You can also specify where users can log in, how often they can log in, at what times they can log in, how often their passwords expire, and when their accounts expire.

Disabling Accounts

When a user leaves the organization, you have three options:

Leave the account in place.
Delete the account.
Disable the account.
If you leave the account in place, anyone (including the user to whom it belonged) can log in as that user if they know that user’s password. Therefore, leaving the account in place is a security breach. Deleting the account presents its own set of problems. If you delete an account and then create a new one, the numeric ID associated with that user (UID in Unix, SID in Windows Server) is lost. It is through this number that passwords and rights to network resources are associated with the user account. If you create a new user account with the same name as the user account you deleted, the identification number of the new account will be different from that of the old account, and thus none of the settings of the old account will be in place for the new account.

Note This same concept holds true for NetWare, although NetWare does not use a number to uniquely identify each entity. Each NDS object (including users) is a unique object ID.

Your best practice is to disable an account until a decision has been made as to what should happen to the account. Perhaps you’ll want to simply rename the account when a new person is hired. When you disable an account, it still exists, but no one can use it to log in. You might also disable an account (rather than deleting it) if someone leaves for an extended period (for example, on maternity/paternity leave or medical leave). In most network operating systems, disabling an account involves changing a setting to say something like Account Disabled.

Disabling Temporary Accounts

Because of the proliferation of contract and temporary employees in the information technology industry, you need to know how to manage temporary accounts. A temporary account is used for only a short period (less than a month or so) and then disabled.

Managing the accounts of temporary employees is easy. You can simply set the account to expire on the employee’s anticipated last day of work. The NOS then disables, but does not delete, these accounts on the expiration date.

Setting Up Anonymous Accounts

Anonymous accounts provide extremely limited access for a large number of users who all log in with the same username, which is often Anonymous or Guest. An anonymous login is frequently used to access FTP files. You log in with the username Anonymous and enter your e-mail address as the password.

Tip Users don’t necessarily enter their correct e-mail address. If you really want to know where on the Internet the user is located, use third-party software to verify IP addresses and Internet domain names.

Avoid using anonymous accounts for regular network access. If someone is using an anonymous account, you cannot track who manipulated a file. Windows NT/2000 comes with the anonymous account Guest disabled. NetWare does not automatically create a guest account. You should not change these default setups.

Some web servers create an Internet user account to allow anonymous access to the website. The Internet user account is automatically created and allowed to access the web server over the network. The password is always blank. You never see a request to log in to the server. This is done automatically. Without this account, no one would be able to access your web pages.

Warning Do not rename the Internet user account or set a password. If you do so, the general public will not be able to view your website. If you want to secure documents, use another web server, secure HTTP, Windows NT domain and file security, or NetWare Directory Services security.

Limiting Connections

You may want to limit the number of times a user can connect to the network. Users should normally be logged in to the network for only one instance, because they can only be in one place at a time. If the system indicates they are logged in from more than one place, someone else might be using their account. When you limit concurrent connections to one, only a single user at a single workstation can gain access to the network using a particular user account. Some users, however, might need to log in multiple times in order to use certain applications or perform certain functions. In that case, you can allow the user to have multiple concurrent connections.

Limiting the location from which a user logs in can be important also, because typical users shouldn’t log in to the network from any place but their own workstation. Although in theory this is true, it is not often implemented in most corporations. Users move stations, often not taking their computers with them. Or they have to log in at someone else’s station to perform some function. Unless you require really tight security, this restriction requires too much administrative effort. Both NetWare and Windows NT/2000 can limit which station(s) a user is allowed to log in from; however, by default, user accounts are not restricted in this respect. This is probably acceptable in most cases. If you really want to tighten security, restrict users to logging in from their assigned workstations. By default, Windows NT/2000 servers do not allow a regular user to log in at the console because most users should not be working directly on a server. They can do too much damage accidentally. In NetWare, the console interface is entirely different and is not used to access network resources, so this is not an issue.

Renaming the Maintenance Account

Network operating systems automatically give the network maintenance (or administration) account a default name. In Windows NT/2000, this account is named Administrator; in Unix, it is Root, and in NetWare, it is Admin. If you don’t change this account name, hackers already have half the information they need to break in to your network. The only thing they’re missing is the password.

Rename the account to something innocuous or use the same naming convention that is used for regular users. For example, jmorris is a much better choice than super is. Here is a list of common names that you should not use:

Managing Passwords

Like any other aspect of network security, passwords must be managed. Managing passwords involves ensuring that all passwords for user accounts follow security guidelines so that they cannot be easily guessed or cracked, as well as implementing features of your network operating system to prevent unauthorized access.

What Makes a Strong Password?

Generally speaking, a strong password is a combination of alphanumeric and special characters that is easy for you to remember and difficult for someone else to guess. Unfortunately, many users try to make things easy on themselves and choose passwords that are easy to guess. Let’s look at some characteristics of strong passwords.

Minimum Length

Strong passwords should be at least 8 characters, if not more. They shouldn’t be any longer than 15 characters so that they are easy to remember. You need to specify a minimum length for passwords because a short password is easily cracked. For example, there are only so many combinations of three characters. The upper limit depends on the capabilities of your operating system and the ability of your users to remember complex passwords. Users will forget passwords that are too long, so you must balance ease of remembrance with the level of security you need to implement.

The Weak List

Here are some passwords that you should never use:
The word password
Proper names
Your pet’s name
Your spouse’s name
Your children’s names
Any word in the dictionary
A license plate number
Birth dates
Anniversary dates
Your username
The word server
Any text or label on the PC or monitor
Your company’s name
Your occupation
Your favorite color
Any of the above with a leading number
Any of the above with a trailing number
Any of the above spelled backward

There are others, but these are the most commonly used weak passwords.

Using Characters to Make a Strong Password

Difficult-to-crack passwords do not have to be difficult to remember and include a combination of numbers, letters, and special characters (not just letters, not just numbers, not just special characters, but a combination of all three). Special characters are those that cannot be considered letters or numbers (for example, $ % ^ # @). An example of a strong password is tqbf4#jotld. Such a password may look hard to remember, but it is not. The following sentence uses every letter in the English alphabet: The quick brown fox jumped over the lazy dog. Take the first letter of each word, put the number 4 and a pound (#) symbol in the middle, and you have a strong password.

To consistently get strong passwords, you can use auditing tools, such as a crack program that tries to guess passwords. If you use strong passwords, the crack program should have great difficulty guessing a password. Use special characters and numbers in the middle of the password, for example, under43gate@w#ay. Do not use just a regular word preceded or ended by a special character. Good crack programs strip off the leading and trailing characters in their decryption attempts.

Here are a few examples of strong passwords:

run4!cover
iron$steel4
four$score

I’d include a few more, but I don’t want to give away all my secrets!

Warning Never write your password on a note and stick it under your keyboard or on your monitor. This is the most common network security breach.

NOS Password Management Features

All network operating systems (including NetWare, Unix, and Windows NT/2000) include functions for managing passwords so that the system remains secure and passwords cannot be easily hacked with crack programs. These functions include automatic account lockouts and password expiration.

Automatic Account Lockouts

Hackers (as well as users who forget their passwords) attempt to log in by guessing the user’s password. To ensure that a password can’t be guessed by repeatedly inputting different passwords, most network operating systems have a feature that allows the account to be disabled, or locked out, after several unsuccessful login attempts. Once this feature is enabled, the user cannot log in to that account even if the correct password is entered. This feature prevents a potential hacker from running an automated script to continuously attempt logins using different character combinations for the password.

After a lockout is activated, to log in successfully the user must ask the network support staff to unlock the account if the network operating system doesn’t unlock it after a preset period. In high-security networks, it is usually advisable for an administrator to manually unlock every locked account rather than letting the NOS do it automatically. In this way, the administrator is notified of a possible security breach.

Warning Be careful not to lock yourself out. With many network operating systems, only administrators can reset passwords. If you are the administrator and you lock yourself out, only another administrator can unlock your account. If you are the only administrator, you have a problem. Many NOS vendors do have solutions to this problem, but the solution will cost you.

Password Expiration

Passwords, even the best ones, do not age well over time. Eventually someone will guess or crack a password if it never changes. The impact of someone guessing your password is reduced—even if a password is guessed—if passwords are set to expire after a certain amount of time. After this time (which varies and can be set by the administrator), the old password is considered invalid, and a new one must be specified. This new password is valid until it expires and another password must be specified.

Most organizations set up passwords to expire every 30 days. After that, users must reset their passwords immediately or during the allotted grace period. Some systems give the user a few grace logins after the password has expired. As the administrator, you should limit this grace period to a number of times or days.

Tip Each network operating system specifies a password expiration period. If your organization’s policy states that users must change their passwords every 30 days, check to see if your operating system is enforcing that. For example, in NetWare the default expiration date is every 40 days and therefore might need to be changed.

Unique Passwords and Password Histories

In older versions of many network operating systems, users could reset their passwords to their original form after using an intermediary password for a while. More recent network operating systems prevent this practice by using password histories.

A password history is a record of the past several passwords used by the user. When the user attempts to use any password stored in the password history, the password fails. The operating system then requests a password change again. When implementing a password history policy, be sure to make the password history large enough to contain at least a year’s worth of password changes. For a standard 30-day life span password, a history of 12 or 13 passwords will suffice.

Advanced users know about the history feature. Creating a good password takes some time. Once a user finds a password, the human tendency is to want to keep it and use it for everything, which is counter to good security policy. If a user really likes a particular password or does not want to remember a new one, he or she will try to find a way around password histories. For example, one user admitted changing her password as many times as it took to defeat the history log. She then changed the password one last time back to her original password. This can take less than five minutes of a user’s time.

Administrators can force users to change their passwords so that they are unique. The latest operating systems (including NetWare 4.x and later, as well as Windows NT 4) require unique passwords. All passwords are stored, and, depending on the NOS, more than 20 passwords can be stored. Reverting to any of the previous passwords is not allowed.

Using Firewalls

It is popular these days to connect a corporate network to the Internet. By connecting your private network (only authorized users have access to the data) to a public network (everyone connected has access to the data), you introduce the possibility for security break-ins. For this reason, firewalls are implemented. A firewall protects a private network from unauthorized users on a public network.

Firewalls are usually a combination of hardware and software. The hardware is typically a computer or a dedicated piece of hardware (often called a black box) that contains two network cards. One connects to the public side; the other, to the private side. The software controls how the firewall operates and protects your network. It examines each incoming and outgoing packet and rejects any suspicious packets. In general, firewalls work by allowing only packets that pass security restrictions to be forwarded through the firewall.

Note The Network+ certified system administrator usually does not have the resources to design, install, and manage a firewall. This section is to help you work in an environment where a firewall is already installed. You might also work as part of a team to install or upgrade your company’s firewall solution. This section will give you the tools you need to understand the basic operation of a firewall.

Firewalls can be placed on top of an existing operating system or be selfcontained. Black box systems are proprietary systems that have external controls and are not controlled by the operating system. If you want to use a general-purpose operating system, you have two options: Unix and Windows NT. Both can support third-party firewall products. Novell makes its own firewall product, BorderManager, which is excellent and runs on NetWare. But at the time of this writing, there are few third-party firewall products for NetWare.

Note All Windows NT firewalls should be installed on Windows NT Server computers rather than on Windows NT Workstation computers.

Firewall Technologies

There are many firewall technologies, and they differ in the method they use to restrict information flow. Some, such as access control lists and dynamic packet filtering, are themselves used as firewalls. Others, such as proxies and demilitarized zones, are implemented with other firewall technologies to make a more robust, complete implementation.

Access Control Lists (ACL)

The first form of defense for every network connected to the Internet is access control lists (ACL). These lists reside on your routers and determine which machines (that is, which IP addresses) can use the router and in what direction. ACLs have been around for decades and have other uses apart from a firewall.

The Demilitarized Zone (DMZ)

Most firewalls in use today implement a feature called a DMZ, which is a network segment that is neither public nor local, but halfway between. People outside your network primarily access your web servers, FTP servers, and mail-relay servers. Because hackers tend to go after these servers first, you should place them in the DMZ. A standard DMZ setup has three network cards in the firewall computer. The first goes to the Internet. The second goes to the network segment where the aforementioned servers are located, the DMZ. The third connects to your intranet.

When hackers break into the DMZ, they can see only public information. If they break into a server, they are breaking into a server that holds only public information. Thus, the entire corporate network is not compromised. Last, no e-mail messages are vulnerable; only the relay server can be accessed. All actual messages are stored and viewed on e-mail servers inside the network.

Protocol Switching

Protocol switching protects data on the inside of a firewall. Because TCP/IP is the protocol used on the Internet, many external types of attacks, including the Ping of Death and SYN floods (discussed later in this chapter), are based on this protocol stack.

You can choose between two common approaches:
Use a different protocol (not TCP/IP) on the internal network inside the firewall. For example, IP-based attacks aimed at your development server will never have any effect if you are using IPX on the internal network side of a router. This approach makes a router a natural firewall.
Use TCP/IP on both the internal network and the Internet, and use a different protocol in a dead zone between them. For example, switch from IP to IPX in a dead zone, and then switch back to IP again once inside your network.
Note In both approaches, only the internal network is protected. You still need a firewall to handle any attacks on your network’s access point and protocolswitching device.

Dynamic Packet Filtering

Packet filtering is the ability of a router or a firewall to discard packets that don’t meet certain criteria. Firewalls use dynamic packet filtering to ensure that the packets it forwards match sessions initiated on the private side of a firewall. A dynamic state list (also known as a state table), held on a firewall, keeps track of all communications sessions between stations inside the firewall and stations outside the firewall. This list changes as communications sessions are added and deleted. Dynamic state lists allow a firewall to filter packets dynamically.

In dynamic packet filtering, only packets for current (and valid) communications sessions are allowed to pass. Someone trying to play back a communications session (such as a login) to gain access will be unsuccessful if the firewall is using dynamic packet filtering with a dynamic state list, because the data sent would not be recognized as part of a currently valid session. The firewall will filter out (or “drop”) all packets that don’t correspond to a current session using information found in the dynamic state list. For example, a computer in Network A requests a Telnet session with a server in Network B. The firewall in between the two keeps a log of the communication packets that are sent each way. Only packets that are part of this current communication session are allowed back into Network A through the firewall.

Proxy Servers

Proxy servers(also called proxies, for short) act on behalf of a network entity (either client or server) to completely separate packets from internal hosts and from external hosts. Let’s say an internal client sends a request to an external host on the Internet. The request is first sent to a proxy server, where it is examined, broken down, and handled by an application. That application then creates a new packet requesting information from the external server. Figure 8.5 shows the process. Note that this exchange is between applications at the Application layer of the OSI model.
Proxies are good firewalls because the entire packet is dissected, and each section can be examined for invalid data at each layer of the OSI model. For example, a proxy can examine a packet for information contained in everything from the packet header to the contents of the message. Attachments can also be checked for viruses. Messages can be searched for keywords that might indicate the source of a packet.

You can use this type of searching to prevent sensitive information from exiting your organization with the outbound data stream. If your sensitive documents contain a header or footer that includes the words MyCompanyName Confidential, you can set up your proxy server software to search for those keywords. This level of detailed searching degrades performance, however, because it is more time-intensive than checking state lists.

There are many types of proxy servers, including IP, web, FTP (File Transport Protocol), and SMTP (Simple Mail Transfer Protocol). Each type is used for a different purpose and uses different methods.

IP Proxy

An IP proxy hides the IP addresses of all stations on the internal network by exchanging its IP address for the address of any requesting station. You do not want a hacker to know IP addresses specific to your internal network. Web servers on the Internet will also be unable to determine the specific IP address from which a request is being sent. All communications look as if they originate from the proxy server. This type of proxy is also known as Network Address Translation (NAT).

Web (HTTP) Proxy

Web proxies (also called HTTP [Hypertext Transfer Protocol] proxies) handle HTTP requests on behalf of the sending workstation. When implemented correctly, a client’s web browser asks a web server on the Internet for a web page using an HTTP request. Because the browser is configured to make HTTP requests using an HTTP proxy, the browser sends the request to the proxy server. The proxy server changes the From address of the HTTP request to its own network address and sends it to the Internet web server. The response to the HTTP request goes directly to the proxy (because it replaced the sender’s address with its own). The proxy server then replaces its address with the address of the original sender, and the response is delivered to the original sender.

The most popular implementation of a web proxy is a proxy cache server. This server receives an HTTP request from a web browser and then makes the request on behalf of the sending workstation. When the requested page is returned, the proxy server caches a copy of the page locally. The next time someone requests the same web page or Internet information, the page can be delivered from the local cache instead of the proxy server having to formulate a new request to the web server on the Internet. This speeds up web surfing for commonly accessed pages. Web proxies can also increase network security by filtering out content that is considered insecure, such as executables, scripts, or viruses.

FTP Proxy

FTP proxies handle the uploading and downloading of files from a server on behalf of a workstation. An FTP proxy operates in a fashion similar to that of a web proxy. As with web proxies, FTP proxies can filter out undesirable content (viruses and the like).

SMTP Proxy

SMTP proxies handle Internet e-mail. Here, the actual contents of the packet and mail can be automatically searched. Any packets or messages that contain material that is not considered secure can be blocked. Many SMTP proxies allow network virus protection software to scan inbound mail.

Note Not every firewall falls into a category. Traditional firewall vendors are adding features to their firewalls to make them difficult to classify. Vendors who traditionally offered packet-filtering solutions are now also offering proxy solutions, and vendors who traditionally offered proxy solutions are now also offering packet-filtering solutions. The network administrator can now get a packet-filtering firewall and a proxy firewall combined into one product. Dual-style firewalls are considered hybrids.

Security Protocols

The security of data that is traversing the Internet is of prime concern to many people, including business owners. For the most part, data is sent across the Internet without any encryption or security. Sensitive data, however, is usually sent using one of several different security protocols. Security protocols are those sets of conditions or rules that define how a secure connection is maintained when transmitting data via an unsecure medium (like the Internet). The Network+ exam tests your knowledge of four of the most popular. They are:
L2TP
IPSec
SSL
Kerberos

L2TP

The Layer 2 Tunneling Protocol (L2TP) is a protocol designed by the Internet Engineering Task Force (IETF) that supports non-TCP/IP protocols in virtual private networks (VPNs) over the Internet. It’s a combination of the Microsoft Point-to-Point Tunneling Protocol (PPTP) and Cisco’s Layer 2 Forwarding (L2F) technology. Because it operates at the Data Link layer (Layer 2) of the OSI model, it supports many different protocols, such as IPX and AppleTalk. It’s a good protocol to implement when you have two non-TCP/IP networks that need to be connected via the Internet.

IPSec

IPSecurity, or IPSec, is a security protocol designed by the IETF to provide authentication and encryption over the Internet. IPSec works at the Network layer of the OSI model (Layer 3) and secures all applications that operate above it (Layer 4 and above). Additionally, because it was designed by the IETF and designed to work with IPv4 and IPv6, it has broad industry support and is quickly becoming the standard for VPNs on the Internet.

SSL

The Secure Sockets Layer (SSL) security protocol was developed by Netscape for integration into its Navigator browser. SSL is based on RSA public key encryption, and is used to provide secure Session layer connections over the Internet. It is service-independent, so many different network applications can be secured using SSL. The HTTP Secure (HTTPS) protocol is based on SSL. Eventually, SSL was merged with other Transport layer security protocols by the IETF to form a new protocol called Transport Layer Security (TLS).

Kerberos

Kerberos is not just a protocol, but an entire security system. Created at MIT, it establishes a user’s identity when they first log on to a system that uses Kerberos. That identity and its security credentials are then used throughout an entire logon session. It uses strong encryption to encrypt all transactions and communication. This encryption is freely available, and the source code for it can be freely downloaded from many different sites on the Internet.

Comparing Firewall Operating System Platforms

Comparing Firewall Operating System Platforms

Most firewalls are implemented as a combination of hardware and software. The hardware is typically a server-class machine. The software is usually specially written and sits on top of an NOS. Firewalls are typically dedicated computers (that is, they don’t do file/print serving or perform any other network function).

Let’s briefly look at each of the four major network operating systems and how each implements a firewall.

Note Remember that in addition to firewall software, you need at least two NICs (some firewall products use three) to have a functional firewall.

The Unix Operating System

Unix is the NOS on which the Internet is based and, as such, is also the NOS on which firewalls are based. In Unix, you can unload and lock down individual services. This means that you can configure a Unix server so that only the firewall service is up and running. Proponents of Unix argue that it is more secure than other operating systems because nonessential services can be removed, though knowledgeable Microsoft or Novell administrators can do the same with Windows and NetWare.

To support multiple segments, the firewall needs a number of network interface cards. An advantage of using Unix-based firewalls is that they allow the most network cards (more than 32). NetWare has a practical limit of 16, and Windows is currently limited to 4.

Unix is a command-line based operating system and, thus, doesn’t lend itself to the most friendly firewall platform in the world. However, since the introduction of the X Window interface (and firewall software’s adoption of it), Unix-based firewalls have become easier to use.

Finally, because firewalls must examine hundreds, even thousands, of packetsper second, speed is a major factor in all firewall platforms. Many companies make security products for both Unix and Windows NT/2000. Unix implementations tend to be significantly faster than Windows NT/2000 implementations. If you’re communicating over a T1 line, however, platform speed won’t create a bottleneck. This only becomes a problem when your corporation gets into the higher connection speeds that T3, OC3, and other connections provide (and, therefore, your firewall must be examining more packets per second). In these cases, you should consider Unix-based firewall implementations.

NetWare

NetWare, through the leverage of NDS, provides for easy network administration through NetWare Administrator, the graphical utility that runs on Windows 95/98 and Windows NT/2000. The primary firewall is Novell’s own product, BorderManager. BorderManager installs onto NetWare servers and has a NetWare Administrator snap-in. With this feature, you can continue to use familiar NetWare tools to manage the many aspects of your network, including the firewall.

As a firewall platform NetWare offers two major benefits: speed (which is discussed below) and client compatibility. NetWare is compatible with just about every client platform, including Mac OS, Windows 95/98, Windows NT/2000, DOS, and OS/2. NetWare (with BorderManager) can offer firewall protection for all of these client platforms.

BorderManager integrates with NDS and thus can be managed with NetWare’s single administration utility, NetWare Administrator. This makes BorderManager an easy-to-use firewall product, especially for experienced NetWare network administrators.

NetWare’s core operating system has been optimized for the Intel platform, which is cheap and widely available. Apart from Unix running on a RISC processor, NetWare is considered by the IT industry the fastest, and most efficient, network operating system. BorderManager running on NetWare is one of the fastest firewall software packages available.

Windows NT/2000

As Windows NT and 2000 become more and more popular, firewall developers are porting their software from Unix to Windows. However, because of security problems associated with Windows (see the WinNuke discussion later in this chapter), it doesn’t rival Unix or NetWare for firewall installations. As these problems are solved (through patches and other fixes, and likely in future editions of Windows), Windows NT and 2000 will gain ground in the firewall market.

Most third-party, Windows-based firewalls can integrate with Windows Domain/Active Directory security. This allows proxies to use Windows usernames and passwords.

The primary advantage of a Windows firewall is that it can be managed through a graphical user interface, as can Windows itself. Windows servers (and thus firewalls based on them) are more intuitive to the general user than a Unix operating system, with almost the same level of features. If your network support staff is well versed in Windows, the learning curve for a new firewall will not be as steep as that for another operating system.

Windows, however, isn’t the fastest NOS platform, mainly because of the overhead required to maintain the graphical interface; thus, firewalls running on it aren’t the fastest. To address this issue, some firewall vendors are adding hardware accelerator cards to increase firewall throughput. Microsoft is advancing the line of Windows servers to utilize more than a dozen CPUs and gigabytes of memory in one box so that performance can be increased to much higher levels. These new features will make Windows NT much faster and thus more effective as a firewall platform. With the advent of Windows 2000 servers, high-end throughput speeds are possible.

The Black Box

A black box firewall implementation is your fourth choice. You do not know what operating system is inside the box, but it is definitely not Windows. It might be a special implementation of Unix or a completely proprietary system. These implementations tend to have the fastest throughput because they are designed specifically as firewalls, rather than as file and print network operating systems that run firewall software. Cisco’s PIX Firewall is an example of a proprietary black box system.

The major feature of a black box firewall is simplicity. You don’t have to worry about extraneous features such as file or print services. The box is only a firewall, not a server and a firewall.

Ease of use is not, however, a feature of a black box, which often lacks a screen or an input device. The administrator must rely on connecting to the black box using an external keyboard or terminal to change firewall configuration data. This is not typically a problem with firewalls that don’t require significant configuration (as in simpler network implementations). In this case, once the firewall is configured, you can pretty much leave it alone.

Given the dedicated nature of black box firewalls (they aren’t used to provide other network services) and that they are designed from the ground up as firewalls, they are often very efficient and fast. They use RISC processors and operating systems designed specifically for a firewall. Unfortunately, black boxes cannot be upgraded easily and often must be replaced as new technology is released.

Attack and Defense

Attack and Defense

You can view the interaction between a hacker and a network administrator in different ways. You can see a harmless game of cat and mouse or a terrorist attack on national security. In either case, a person attempts to break into or crash your system. You, as the network administrator, work at preventing and tracking the attacks.